Bleichenbacher's CCA2 on RSA
A server is giving feedback it's not supposed to. Can you stage an online attack?
Hello There, Is there an optimal choice for the first s ? I have tried random values (but I am sure there is a better choice) for a few hours, with no luck. Any hint ? Thanks
I started with the value
s = ceiling(N / 3B) (
B being defined in the paper as
2^(8 * (k-2)) ). This is the same value as is recommended in Step 2.a of the paper.
I arrive at a valid solution but it is 14 hex characters, and a bunch of 0's padded on the right. They are not ASCII characters and this doesn't resemble a valid padded message. Any thoughts? I wouldn't think a valid solution would be found by accident.
That doesn't sound quite right, you can email us with the specifics if you like. Otherwise I'm not sure there's much I can recommend beside double checking you implemented the algorithm, as described in the paper, correctly
I rewrote basically the exact same algorithm on a python 2.7 machine and got the correct answer. The python 3 version seems to give an incorrect answer. In any case I got it, thanks.
It may have to do with the fact that python 2 will round down to the nearest integer when you divide two integers. Python 3 will actually give you back a float when you divide two integers (use // in 3 to get the behavior of / in 2). In any case, congrats on solving the problem!
Is it expected that the oracle returns 0 on the original ciphertext?